Microsoft July 2024 Patch Tuesday fixes two zero-days

Microsoft rolled out its July 2024 Patch Tuesday security updates designed to fix over 140 vulnerabilities across a wide range of products. The release also includes fixes for two actively exploited zero-day vulnerabilities.

One of the zero-days is a Windows Hyper-V elevation of privilege vulnerability (CVE-2024-38080), which exists due to integer overflow in Windows Hyper-V component. A local user can trigger an integer overflow and execute arbitrary code with SYSTEM privileges. The flaw affects Windows versions before 11 23H2 10.0.22631.3880 and Windows Server versions before 2022 10.0.20348.2582.

The second zero-day flaw (CVE-2024-38112) affects Windows MSHTML Platform and can be exploited by a remote attacker to perform spoofing attack and trick the victim into executing a specially crafted file. The issue impacts Microsoft Internet Explorer v 11 - 11.1790.17763.0, Windows: before 11 23H2 10.0.22631.3880, Windows Server: before 2022 10.0.20348.2582. According to Check Point Research, this flaw has been actively exploited in attacks for over a year to launch malicious scripts.

A high-severity Ghostscript flaw is being exploited in the wild

Security researchers have warned of active exploitation of a high-severity vulnerability in Ghostscript, a widely-used interpreter for the PostScript language and PDF files. Tracked as CVE-2024-29510, the flaw is a format string issue, which allows threat actors to bypass the –dSAFER sandbox and achieve remote code execution (RCE). The vulnerability affects all Ghostscript versions up to and including 10.03.0.

A recently patched PHP bug exploited to deploy malware

Multiple threat actors are exploiting a recently disclosed security flaw in PHP to deploy remote access trojans, cryptocurrency miners, and botnets for distributed denial-of-service (DDoS) attacks. Tracked as CVE-2024-4577, the flaw is an OS command injection issue that allows a remote attacker to execute arbitrary shell commands on the target system.

Australia and partners accuse Chinese hackers of large-scale cyberespionage

Australia and its allies have released a joint security advisory highlighting malicious cyber operations conducted by a state-sponsored China-linked threat actor APT40. The adversary has repeatedly targeted Australian networks as well as government and private sector networks in the region, according to the authorities. The group’s primary attack methods include phishing campaigns and the use of valid credentials to enable a range of follow-on activities. Once compromising the network, the threat actor attempts to establish persistence via a web shell to maintain access on the victim’s environment.

Chinese threat actor APT41 upgrades its toolset

Zscaler ThreatLabz released the first part of a technical deep-dive into the attack tools used by a Chinese threat actor known as APT41 or Earth Baku. The group has been observed using an advanced and upgraded version of the known malware StealthVector (aka Dustpan)dubbed “DodgeBox.”

Hackers linked to Houthi rebels target Middle East militaries with GuardZoo spyware

A hacking campaign attributed to Houthi-aligned threat actors has been actively targeting military personnel across the Middle East with a novel spyware strain named GuardZoo since October 2019. GuardZoo is designed to collect a wide array of data from infected Android devices, including photos, documents, coordinate data files related to marked locations, routes, and tracks, as well as the device’s location, model, cellular service carrier, and Wi-Fi configuration. The spyware can also download and install additional applications on the infected device, potentially introducing new invasive capabilities.

The campaign has targeted militaries in seven Middle Eastern countries, including Saudi Arabia, Oman, Egypt, Yemen, the UAE, Qatar, and Turkey.

In a separate report, Recorded Future’s Insikt Group detailed cyber operations of another pro-Houthi group hacker group, OilAlpha, which targets humanitarian and human rights organizations, including CARE International and the Norwegian Refugee Council, operating in Yemen with malicious Android apps. These apps are designed to steal credentials and collect intelligence, potentially to control aid distribution.

Japan warns of North Korea Kimsuky attacks

Japan's Computer Emergency Response Team Coordination Center (JPCERT/CC) has issued a warning about North Korean 'Kimsuky' threat actors targeting Japanese organizations.

The US government identifies Kimsuky as an advanced persistent threat (APT) group from North Korea, which conducts global attacks to collect intelligence for the North Korean government. The threat actor uses social engineering and phishing to infiltrate networks, then deploy custom malware to steal data and maintain a presence. JPCERT/CC confirmed the attacks targeting Japanese entities in March 2024.

In other news, the Japan Aerospace Exploration Agency (JAXA) said it has been hit with several cyberattacks since last year, with hackers gaining access to the agency’s servers.

One of the security incidents occurred in October 2023, when intruders gained access to some of JAXA's business intranet servers. Following the breach, the agency took measures to contain the incident and initiated an investigation into the matter. The investigation determined that threat actors stole information related to JAXA’s joint business operations with external organizations and personal information.

The US takes down AI-driven Russian bot farm spreading disinformation on large scale

The US authorities seized two domain names and searched nearly a thousand social media accounts linked to a sophisticated AI-enhanced social media bot farm operated by Russian threat actors. The bot farm, designed to disseminate disinformation both in the United States and abroad, leveraged advanced artificial intelligence to create fake social media profiles purportedly belonging to individuals in the US.

The bot farm used an enhanced software package dubbed “Meliorator” to generate false personas on various social media platforms. This software, incorporating AI components such as image production and text generation, allowed to create and maintain fake accounts on a large scale.

In addition, researchers have discovered that a Russian-language disinformation network called Doppelgänger is using infrastructure located or registered in Europe. Reports from digital rights nonprofits Qurium and EU DisinfoLab, who first exposed Doppelgänger in 2022, said that the network operates in at least 10 European countries, including Germany, the UK, and the Czech Republic. Active in Europe since at least May 2022, Doppelgänger is notorious for spreading fake articles on websites masquerading as real media outlets. The network aims to advance Kremlin interests and create discord among its adversaries, including the US and Western Europe.

Cyber threats against NATO surge amid Russo-Ukraine war

A significant increase in cyber threats against NATO has been observed, primarily linked to the ongoing Russo-Ukraine war. However, the perpetrators extend beyond Russia, targeting NATO technologies and defense secrets from various non-aligned nations. The primary adversaries include Russian and Chinese state actors, financially motivated cybercriminals, and politically driven hacktivists. 

On Wednesday, the North Atlantic Treaty Organization (NATO) announced plans to establish a new cyber defense center at its headquarters in Belgium aimed at protecting allied cyberspace operations. The Centre will inform NATO military commanders on possible threats and vulnerabilities in cyberspace, including privately-owned civilian critical infrastructures necessary to support military activities.

Multi-billion dollar marketplace Huione Guarantee linked to money laundering

Huione Guarantee, an ostensibly legitimate online marketplace, is reportedly being used for laundering money from online scams, particularly "pig butchering" investment fraud. A new report from blockchain analytics firm Elliptic revealed that merchants on Huione Guarantee have conducted transactions amounting to at least $11 billion, some of which are linked to various types of cybercrime, including investment fraud websites, personal data sales, and money laundering.

ViperSoftX malware is now being distributed as eBooks via torrents

Threat actors behind the sophisticated malware called ViperSoftX have evolved their distribution methods and now disguise the malware as eBooks delivered via torrents. A notable aspect of the current variant of ViperSoftX is that it uses the Common Language Runtime (CLR) to dynamically load and run PowerShell commands, creating a PowerShell environment within AutoIt for operations.

A large hosting provider linked to Russian cybercrime group Fin7

The Russia-based cybercrime group Fin7, known for its phishing and malware attacks causing around $3 billion in damages since 2013, was announced inactive by US authorities last year. However, in 2024, Fin7 has resurfaced, establishing thousands of fake websites impersonating various media and tech companies. This resurgence is aided by Stark Industries Solutions, a large hosting provider consistently linked to cyberattacks against Russia's adversaries, according to cybersecurity reporter Brian Krebs.

CRYSTALRAY threat actor expands operations

A new threat actor known as CRYSTALRAY has significantly broadened its targeting scope, using new tactics and exploits, and now has over 1,500 victims. Researchers at Sysdig, who have tracked CRYSTALRAY since February, report that the threat actor uses the SSH-Snake open-source worm to spread laterally within breached networks. SSH-Snake steals SSH private keys on compromised servers and uses them to infiltrate other servers, deploying additional payloads, such as cryptominers. Initially, Sysdig identified around 100 victims of the SSH-Snake attacks.

DoNex ransomware decryptor released

Researchers from cybersecurity firm Avast released a tool that helps to restore files encrypted by the DoNex ransomware and its predecessors.

Zotac exposes customers' RMA information on Google Search

Computer hardware manufacturer Zotac inadvertently exposed Return Merchandise Authorization (RMA) requests and related documents online, compromising sensitive customer information for an unknown duration. The cause of the issue was the misconfiguration of the web folders containing RMA data, which led to search engines indexing affected folders, making them accessible through Google Search.

Information of millions of mSpy spyware customers exposed in a data breach

A data breach at mSpy, a phone surveillance company, has exposed millions of its customers and the Ukrainian company behind it. In May 2024, unknown attackers stole customer support tickets containing personal information, emails, and attachments, including personal documents. The breach affected records from mSpy's Zendesk-powered customer support system, dating back to 2014.

Two Australians arrested for spying for Russia

Australian authorities have arrested a Russian-born married couple, Igor and Kira Korolev, on espionage charges. The woman, a 40-year-old information systems technician in the Australian Army, allegedly attempted to access and send defense material to Russian officials.

The couple, who are Australian citizens, sought to breach national security, the Australian Federal Police (AFP) said. Kira reportedly traveled to Russia and instructed Igor to access her official account in Australia to retrieve defense materials. Both appeared in a Brisbane magistrate's court, each facing a charge of preparing for an espionage offence, which could result in a maximum penalty of 15 years in prison.